This lesson will explore Cloud IAM using GUI and cloud shell. (Google Cloud Ephemeral Shell Environment.) This demo requires more than one user in your GCP project, so we already have the first user as yourself (as IAM lists your email ID as a user); we will create a second user in our current project.

Use of service account#

Remember that we have different kinds of members in GCP IAM. We will use a service account to imitate multiple users in our GCP account. So, let’s start.

Cloud IAM quick start#

In this hands-on lab, we will create two users. Then, the new user will be permitted to list the contents of a bucket. (A Cloud Storage Bucket is cloud storage that can store any object.) Next, we will remove the permissions and try to list the bucket’s contents again.

Creating a second user#

  1. Open the GCP console.

  2. Go to IAM & Admin > Service Accounts

Update: IAM & Admin is restructured into Identity & Security menu in latest update. To access the service account menu, Goto Identity & Security > Identity > Service Accounts.

  1. Click on “Create Service Account.”
widget
  1. Provide a name for SA(Service Account).

  2. Provide any description if required.

  3. Leave the optional field, move forward, and click “Create”. Then click on the “Done” button.

widget

Assign a role to the new user#

Now that we have two users in our project let’s give some permissions to the newly created user. Without any permissions, the user will not be listed under IAM users.

  1. Open IAM & Admin > IAM

  2. Click the “Add” button.

Click on the "ADD" button.
Click on the "ADD" button.
  1. In the new members’ input field, type the new user name, which will auto-populate.

  2. To assign a role, scroll down and select Cloud storage > Storage Object Viewer.

  3. Click on Save.

Select service account and assign the "Storage Object Viewer". Click on "Save" button.
Select service account and assign the "Storage Object Viewer". Click on "Save" button.

Creating a Storage Bucket#

Now that we have two users let’s create a bucket and upload one random file to it.

  1. Go to Main Menu > Storage > Browser
Go to Storage > Browser.
Go to Storage > Browser.
  1. Click on the “CREATE BUCKET” button.
Click on "CREATE BUCKET" button.
Click on "CREATE BUCKET" button.
  1. Provide any unique name, leave all defaults as it is, and hit the “CREATE” button.
Provide the globally unique bucket name. Hit the "CREATE" button.
Provide the globally unique bucket name. Hit the "CREATE" button.
  1. Upload any random file from your system.
Click on the the "UPLOAD FILES" button.
Click on the the "UPLOAD FILES" button.

The file will be uploaded to the bucket. You can also see the uploading status of the file.

Screen after the file is uploaded. You can upload any file.
Screen after the file is uploaded. You can upload any file.

Cloud shell#

Now, we will use a cloud shell to list the bucket’s contents using the newly created service account.

  1. Click on the “Activate cloud shell” icon in the top right corner. The cloud shell will take some time to start. Meanwhile, you can download the service account key file.

To use a service account outside of Google Cloud, such as on other platforms or in a cloud shell, you must first establish the service account’s identity. We will create a private key file to do that in Step 4. Make sure you keep this file safe and secure.

Click to activate cloud shell.
Click to activate cloud shell.
A terminal will start at the bottom of the page.
A terminal will start at the bottom of the page.
  1. Go to IAM & Admin > Service Accounts

  2. To create a key file/identity file for the service account, click the 3 dot icon on the right side. Click on the “Manage Keys” option.

Click on the manage keys option.
Click on the manage keys option.
  1. Click on the “Create new key” option and choose “JSON” format for the file type. Click on “CREATE” to download the identity file.
Create a new key.
Create a new key.
Select JSON for the file type.
Select JSON for the file type.
  1. Upload the downloaded key file to the cloud shell using the three-dot icon and “Upload File” option.
Upload the downloaded key.
Upload the downloaded key.
  1. In cloud shell, type: gcloud auth activate-service-account --key-file=[path/to/keyfile.json]. Using this command, we will use the service account email as a logged-in user.
gcpheadstart@cloudshell:~ (gcp-headstart-educative)$ gcloud auth activate-service-account --key-file=gcp-headstart-educative-308308-914a4bba983d.json
Activated service account credentials for[iam-quickstart@gcp-headstart-educative.iam.gserviceaccount.com]
  1. This will activate the service account user. To verify, type gcloud config list.
gcpcourseeducative@cloudshell:~ (gcp-headstart-educative-308308) gcloud config list
[component_manager]
disable_update_check = True
[compute]
gce_metadata_read_timeout_sec = 30
[core]
account = iam-quickstart@gcp-headstart-educative-308308.iam.gserviceaccount.com
disable_usage_reporting = True
project = gcp-headstart-educative-308308
[metrics]
environment = devshell

Your active configuration is: [cloudshell-30113]
  1. Type: gsutil ls gs://[bucketname]. If you are following the steps as it is, then the bucket name will be iam-demo-educative.

    This command should list the bucket’s content—the file you uploaded to the bucket earlier.

    Now, remove the user’s permissions using IAM & Admin > IAM.

  2. Click the pencil icon on the right at the user, and then delete the assigned role by clicking the delete button.

Click on the pencil icon to edit the permissions.
Click on the pencil icon to edit the permissions.
Delete the role and click on the "SAVE" button.
Delete the role and click on the "SAVE" button.
  1. Save it. Come back to cloud shell and type, gsutil ls gs://[bucketname].

  2. You should get an “AccessDeniedException: 403 Error”.

Error because of removal of the role.
Error because of removal of the role.

Roles take some time to activate, and sometimes, the cache makes it difficult. So, if you see that your permissions need to be applied immediately, don’t panic. Most likely, it’s because of a local cache of the GCP cloud shell. Once you restart the cloud shell session or refresh the web page, you are good to go.

You can try different roles to explore all the predefined roles.

This completes the quick start lab for Cloud IAM. Remember to delete the storage bucket by clicking the three dots icon (Kebab Menu) associated with the bucket so you don’t get billed for the bucket.

All GCP services expose APIs. You must have heard that Google introduced a new Vision API, and similarly, Google Cloud services have API for everything. The next step will be to learn more about using and enabling GCP APIs.

Terminal 1
Terminal

Click to Connect...

IAM Members and Policies

Enabling APIs